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1. INTRODUCTION 

1.1. Background 

1.1.1. Reliability Goals for Flight-Critical Software 

Examples of digital computers being used in increasingly critical functions in flight 
management systems are the navigation, guidance, and energy management system for 
the Boeing 757/767 1 ’ 2 commercial jet transport series, the slat and flap control system 
for the Airbus Industries A310, 3 and the flight control system for the Gr umm an X29A. 4 
Since software failures can be equally as hazardous as hardware failures, the use of 
software to perform critical functions of these flight management systems necessitates 
demonstrating that the flight management software complies with Part 25 of the Federal 
Aviation Regulations. Toward this end, DO-178, published by the Radio and Technical 
Commission for Aeronautics (RTCA),-’ provides guidance on techniques and methods 
that may be used for building and certifying reliable flight control software. The FAA 
Advisory Circular 25.1309-1 ^ which references DO-178 defines the software reliability 
requirements by specifying three overlapping quantitative ranges which are to be inter- 
preted as the allowable risk for an hour of flight time based on a flight of mean duration 
for the type of airplane being certified. These ranges are associated with the frequency 
with which failure events may be expected to occur several times during the operational 
life of each airplane (i.e., probable events that occur with a probability on the order of 
1 x 10 -5 or greater). The failure events may not be expected to occur during the total 
operational life of a random single airplane of a particular type but may be expected to 
occur during the total operational life of all airplanes of a particular type (i.e., improb- 
able events that occur with a probability on the order of 1 x 10“ 5 or less ). These failure 
events are so unlikely that they need not be considered to occur ever unless engineering 
judgement would require their consideration (i.e., extremely improbable events that 
occur with a probability on the order of 1 x 10“ 9 or less). 

1.1.2. NASA-LaRC Software Reliability Research Goals 

The software reliability research sponsored by NASA-LaRC focuses on the develop- 
ment of a credible method for predicting operational reliability — that is, predicting the 
improbability that the system will fail due to residual faults re mainin g in the software. ^ 
It is these residual faults, which surface infrequently, that cause the rare event or 
extremely improbable failures. As evidenced by the first well-publicized Space Shuttle 
software bug, the failure of the initialization logic in J. Garman’s words resulted from a 
“very small, very improbable, very intricate, and a very old mistake.”® This bug typifies 
the rare and convoluted combination of events which cause carefully developed software 
to fail. 

Although considering all faults is important in reliability prediction, the most prob- 
able faults are often eliminated using the software quality assurance methods described 
in RTCA DO-178. The research thus concentrates on the development of a method 
which yields quantitative assurance that the aggregate probability of the remaining, less 
probable faults, constitutes an acceptable risk. Accordingly, the System Validation 
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Branch of NASA - Langley Research Center has used a probability value of 10 -9 for a 
ten hour flight as an informal standard in the construction of a credible reliability predic- 
tion method for validating critical software." To date no known software has been vali- 
dated to that extent. 


1.2. Study Objectives 

The construction of a credible reliability prediction method for critical software is 
hindered by our lack of knowledge about the underlying nature of the software failure 
process. This lack of knowledge contributes to our inability to eradicate or tolerate faults 
and to our lack of confidence in the extent to which we have approximated the goal of 
minimal defects, i.e., achieving a reliability of less than 1 x 10 -9 for a ten hour flight. 
The study was undertaken to provide data for use in developing a model for predicting 
the reliability of software in systems with feedback, namely flight control. In particular, 
we were interested in the software error burst phenomenon ^ and in gauging the effect 
of these bursts on the behavior of the system. A software error burst is a sequence of 
observations of erroneous outputs which are repeated manifestations of latent software 
faults that due to the memory of the system and the correlated nature of the inputs can 
eventually lead to a system failure. The frequency and duration of these bursts may 
severely effect the operational reliability of process control software, and consequently 
may be a critical reliability prediction parameter. 

1.3. Related Work 

The flight control software tested as a part of this study was developed in a manner 
which emulated a realistic software development effort. It was developed in a software 
research and development laboratory at RTI by three moderate to advanced skill level 
programmers using a remote link to the computational facilities of NASA’s AIRLAB at 
Langley Research Center. Each of the programmers was given two progr ammin g tasks 
which involved implementing a launch interceptor condition module for a radar tracking 
system and a pitch axis module for a PA28 flight control system. The specifications for 
both modules had been written in English by a senior analyst who had also written and 
extensively tested a fourth or comparison version of each application. The progr ammin g 
activity was managed in a conventional fashion with the exception that the progr amm ers 
were not permitted to discuss their code with anyone other than their manager or the 
senior analyst who was responsible for answering all specification questions. The pro- 
grammers were instructed to optimize the reliability of their code. Additional informa- 
tion about the software development activity can be found in NASA CR-172553, An 
Experiment in Software Reliability 


1.4. Summary of Study and Conclusions 

The development and testing of the pitch axis control module for a flight control 
system was undertaken to provide data for use in constructing a model for predicting the 
reliability of software in systems with feedback. In particular, the study was undertaken 
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to investigate the software error burst phenomenon^® and to gauge the effect of these 
bursts on system behavior. A software error burst is a sequence of erroneous outputs 
due to the memory of the system and a correlated nature of the inputs. The frequency 
and duration of these bursts may severely effect the operational reliability of process 
control software and, consequently, may be a significant reliability prediction parameter. 

To investigate the software error burst phenomenon, three pitch axis control 
modules were implemented for a PA28 aircraft. Input to the control law modules are 
the pitch command and the current pitch of the aircraft. Output from the control law is 
the elevator deflection command. The specification, written in English and provided to 
the programmers for coding, contained three operating modes of increasing complexity. 
A one axis, single input, single output simulation of the aircraft comprised the PA28 air- 
craft response model. 

The three implementations were tested in parallel with over 14 million pitch com- 
mands (about 78,000 flight hours) having varying levels of additive input and feedback 
noise. This testing surfaced four software faults in an implementation of the pitch axis 
control law. This small number of detected faults may be due to the overly simple exam- 
ple chosen for the control law software and the programmer’s ability to exploit this sim- 
plicity in validating it. As software components of the flight control systems increase in 
functionality and complexity, the full implication of software errors remains to be seen. 

2. THE SYSTEM UNDER STUDY 

2.1. The PA28 Pitch Axis Control Module 

A survey of flight control software systems 12,13,14,1,4,15,16,17,2,3 w hich could be 
used for this study culminated with the decision to select a system for which we had both 
the control laws and a description of the aircraft response model. As a result, the PA28 
aircraft was chosen because its aircraft response model was known and relatively simple 
to code. The pitch axis control module was chosen as reliable control of the pitch axis is 
safety-critical during landing. Loss of control of the elevator during final approach will 
almost certainly result in a catastrophic accident. The pitch axis control law is typically 
computed first and used as input to the control laws for the longitudinal, axes, although, 
in a few flight control systems it is computed in parallel with the roll axis. 

Appendix A contains the specification of the pitch axis control law provided to the 
three programmers for independent development. The specification requires that the 
pitch axis control law operate in nine modes. The modes correspond to the use of Pro- 
portional (P), Proportional/Derivative (PD), and Proportional/Integral/Derivative (PID) 
control strategies and to different computations of the error term. A fourth module was 
developed and extensively tested for use as a comparator. The pitch axis module speci- 
fied constitutes a simplified pitch axis control system as it ignores voting to handle sen- 
sor failures and coupling with an analog backup system. 
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2.2. The PA28 Aircraft Pitch Axis Response Model 

A single input-single output aircraft response model defines the PA28 aircraft’s 
response about the pitch axis. It was defined in the frequency domain and implemented 
in the time domain using Tus tin’s approximation. In the frequency domain, the aircraft 
response in pitch is given by the following transfer function 

e A , . oc 1 s 2 + g 2 s + g 3 

3 lS 4 + 0 2 s 3 + 0 3 s 2 + 0 4 s + 05 


and the aircraft response in pitch rate is given by 


©A 


(s) = s 



(s) 


An elevator transfer function of the form —rr(s) = — — — r , is used. 

5 n v ' s (s+50) 

where 

0 A is the aircraft response in pitch. 

0 A is the aircraft response in pitch. 

8 n is the elevator deflection for the N- version system after voting and prior to 

the application of the elevator transfer function. 

is the elevator deflection for the N-version system after the application of 
the elevator transfer function. 

“1 » “2 » a 3 

and 

Pi > P2.» P 3 > ?4 > Pi- arc model coefficients 

and 

s is the Laplace domain variable. 

3. TEST PROCEDURE AND RESULTS 

3.1. Configuration of the N-VERSION CONTROLLER 

The three independently developed software implementations of the pitch axis con- 
trol law are executed in parallel using the N-VERSION CONTROLLER^ shown in Fig- 
ure 1. This CONTROLLER relies on the technique of n-version progr ammin g to detect 
program errors. (N-version programming, first widely publicized by Avizienis 1 ® and 
recently examined by Knight, Leveson, and St. Jean^ involves n programmers 
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independently coding the problem from the same specification). All program outputs 
are compared pairwise during this testing. Whenever an output inequality occurs which 
is outside the range specified, the testing is halted, and the faulty implementation is 
identified, analyzed, and corrected. Using n-version progr ammin g for error detection 
avoids reliance on a comparison version to determine output correctness. 

The N-VERSION CONTROLLER simulates the execution of the pitch axis control 
system and provides both dynamic and static viewing of the system behavior through an 
interface program. The CONTROLLER can be used to control the pitch axis simulation 
for combinations of the following configurations: 

• Extensively Tested System (ETS) flying 

• N-Version System (NVS) flying 

• ETS monitoring NVS flying. 

These configurations can have noise added to the pitch commands generated and to the 
aircraft response in pitch. 

3.2. Test Initialization 

3.2.1. Pitch Command Generation 

The pitch command waveform selected to test the control law software dm be pro- 
pogated as either a sine wave or a generalized square wave. The sine wave is of the 
form 

P(t) = Asin(Bt+y) + k 

where 0, A, B, 7, and k are parameters specified by the experimenter. The generalized 
square wave has six specifiable parameters which characterize the waveform; 1: lead 
time, 2: rise time, 3: duration, 4: fall time, 5: height, and 6: vertical displacement. The 
sine waveform is denoted by sine ( A,B,7,k ) and the square waveform is denoted by 
square (1,2, 3,4,5, 6). 

For the purpose of this study, the coefficients of the input square wave and the sine 
wave are chosen to have a maximum rate of change in pitch of 30 degrees over 40 
timesteps or 2 milli secs. These requirements yield a square waveform of square 
(20,40,20,40,60,-30) and a sine waveform of sine (30,. 16, 0,0) as show in Plots 1 and 2 
respectively. 

The noise which can be added to the pitch command and the pitch feedback is sam- 
pled from a truncated skewed Normal (|Xj of) distribution with — r^O and a truncated 

skewed Normal (p, 2 of) distribution with — -^0 respectively. 

a 2 
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FIGURE 1. CONFIGURATION OF THE N- VERSION CONTROLLER 

where 


0c(n) * Pilch command at time step n for the ETS 

and NVS SYSTEM* prior to the addition of 
random noise. 

Rt(n) • Random noise added to 0q Q ) . 

6c(n) - Pitch command at time step n for the ETS 

and NVS SYSTEMS after the addition of ran- 
dom noise. 

S F (n) - Deflection of elevator at time step n for ETS 
flying the aircraft prior to application of the 
elevator transfer function. 

• Deflection of elevator at time step n for ver- 
sion i of NVS prior to vote and application of 
elevator transfer function. 

fi^n) - Deflection of elevator at time step n for the 
ETS monitoring the NVS prior to application of 
the elevator transfer function. 

Afi^n) - Difference between 6 N (n) for all unordered 
NVS pairs (i.e. (fiftn),5^(n)) for all i, j <l 
[0,2]). 

Afi^n) - Difference between fij N (n) for all NVS pairs 
(i.e. (&F(n) f 5 F (n)) for all i e [0,2]). 

Afif^n) for all NVS pairs (i.e. (^(nTfi^n)) for all i t 
[0,2]). - Difference between ( n) 


& N (n) - Deflection of elevator at time step n for NVS 

flying the aircraft after voting and prior to 
application of the elevator transfer function. 

Afi^n) - Difference between fi N (n) and fi^n) 

Afi^n) - Difference between S N (n) and S F (n) 

5f(n) • Deflection of elevator at time step n for ETS 

flying the aircraft after application of the eleva- 
tor transfer function. 

&£(n) - Deflection of elevator at time step n for NVS 

after application of elevator transfer function. 

AS^n) - Difference between s£(n) and fi£(n) 

0 F (n) - Pitch of aircraft at time step n for the ETS 

flying the aircraft prior to adding random 
noise. 

0£(n) • Pitch of aircraft at time step n for the NVS 

flying the aircraft prior to adding random 
noise. 

R 2 (n) - Random noise added to 0 F and 0/J at time 

step n. 

6 F (n) - Pitch of aircraft at time step n for the ETS 

flying the aircraft after adding random noise. 

$A(n) - Pitch of aircraft at time step n for the NVS 

flying the aircraft after adding random noise. 
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PLOT 1. SQUARE (20,40,20,40,60,-30) 



PLOT 2. SINE (30,. 16,0,0) 



3.2.2. Tuning the N- VERSION CONTROLLER 

Tuning the N- VERSION CONTRO LLE R involved (i) testing of the ETS module in 
conjunction with the aircraft response model, (ii) testing the control law software written 
by programmer 1 in conjunction with the aircraft response model, and (iii) testing of the 
NVS in conjunction with the aircraft response model. The first two test efforts were 
conducted as the ETS and the independent implementations of the control law are imple- 
mentations of different forms of the same control law algorithm in that the ETS control 
law does not have the mode switching capability and it operates in Proportional- 
Integral-Derivative mode only. The above testing resulted in near optimal performance 
of the software to control the pitch axis by setting of the aircraft response model coeffi- 
cients as follows: 


ot! = 17.5; a 2 = 39.4; <23 = 17.0; 


Pi = 1.02; p 2 = 7.01; 0 3 


18.7; p 4 = 8.6; p 5 = 2.84; 


7 




3.2.3. Tuning the NVS Control Law Coefficients 

The control law coefficients were tuned to minimize the amount of overshooting and 
undershooting of the pitch response in the absence of input and feedback noise when the 
NVS is flying the aircraft. Table 1 shows the results of executing the NVS system with 
different values of the control law parameters for the square (20,40,20,40,60,-30) and 
sine (30,. 16,0,0) waveforms. The values shown are estimates derived from visual 
inspection of the corresponding graphs. Rots 3 and 4 show the system performance for 
the tuning runs using the square (20,40,20,40,60,-30) and sine (30,. 16, 0,0) waveforms 
respectively. The ETS control law was timed during the system tuning runs. 


PLOT 3. TSQ4 SYSTEM PERFORMANCE PLOT 4. TSN3 SYSTEM PERFORMANCE 

Pitch Command vs NVS Pitch Response Pitch Command vs NVS Pitch Response 




Pitch Command vs NVS Pitch Response 



0 c (n) 


Pitch Command vs NVS Pitch Response 
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TABLE 1. NVS CONTROL LAW RUNS OF LENGTH 1,000 INPUT CASES 



El 

a l 

El 

El 

MFBSM 

KH 

•K«> 

6*(n) 

Comments 

tsql 

,000 

.167 

.084 

.042 

(•180,180) 

(-300,300) 

(-200,200) 

(•30,30) 

high freq. oscillation in e£, 
overshoots 

changes sign every time step 

tsq2 

.000 

.167 

.042 

.021 

(-30,30) 

(-200*200) 

(-50,50) 

(-20*20) 

high freq. oscillation in 
changes sign alter, time steps 

tsq3 

.000 

.167 

.021 

.042 

(-200,200) 

(-500,500) 

(-200,200) 

(-110,110) 

lew' freq. oscillation in 0jj 
changes sign every time step 

• 

tsq4 

.000 

.167 

.021 

H 


(-125,125) 

(-32,35) 

(-7,10) 

low freq. oscillation in 
at peak and low amplitude 

ts q5 

.000 

.167 

.010 

.021 

(-10.10) 



(-6,8) 

low freq. oscillation in 0^ 
at peak and low amplitude 

tsq6 

.000 

.167 

.005 

.021 

(-10,10) 

(-200,200) 

(-29.29) 

(-6,8) 

low' freq. oscillation in 0jj 
at peak and low amplitude 

tsq7 

.000 

.200 

.013 

.025 


(-200,200) 

(-35,33) 

(-10,10) 

low freq. oscillation in 0jj 
at peak and low amplitude 

t$q8 

.000 

.200 

.006 

.025 

(•10,10) 

(-200,200) 

(-32,33) 

Q 

low freq. oscillation in 0)J 
at peak and low amplitude 

tsnl 

.000 

.167 

.025 

.(M2 

(-12,12) 

(-75,75) 

(-27.30) 

— 

(-6.7) 

| overshoots 0-J 
j low freq. oscillation 

i " ! 

:sn2 j .000 j .200 

i ! 

, 13 ! 

j 

ii i 

.025 || (-12,12) j (-75,75) 

! 1 

(-25,28) | (-6,7) | 

i ! 

t undershoots 0j[ 
no oscillation j 

. 1 i 

tsn3 1 .000 | .167 

1 1 

.042 

; i i 

.0S4 j, 1 (-10,10) 

i! 

(-50,50) 

(-32.34) 

(-7,9) 

overshoots 

low freq. oscillation 


where 

tsql through tsq8 
tsnl through tsn3 


a^, a,, a^, a 3 
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S’ 

A 


6 f 


are the square wave tuning runs 
are the sine wave tuning runs 
are the control law coefficients 

is the current error in 0 at time step n for NVS flying the aircraft, 
is the cummulative error in pitch of NVS at time step n. 

is the pitch of aircraft at time step n for the NVS flying the aircraft prior to 
adding random noise. 

is the deflection of elevator at time step n for ETS flying the aircraft prior to 
application of the elevator transfer. 










































(n)/O c (n) ®c ( n ) /O c (n) 


Based on the results of the tuning runs, the control law coefficients for the square 
wave stress test runs were set at =0.000; a^O.167; a 2 =0.032; a 4 =0.084; (based on 
tuning run tsq4) and for the sine wave stress test runs 3^=0.000; 0.167; a 2 = 0.021; 

a 3 = 0.042; (based on tuning run tsn3). 

3.3. Stress Test Results 

Stress testing entailed executing the system in Proportional-Integral-Derivative 
(PID) mode 7 (see Appendix A) with the goal of detecting software failures under worst 
case input conditions. The noise distributions used during this testing were selected to 
simulate both continuous turbulence and discrete incremental gust loads. The stress test 
runs were made with the square waveform and the sine waveform and with and without 
input noise on the pitch command and the pitch response as depicted in Table 2. Plots 5 
and 6 show the signal and noise to signal ratio for the square (20,40,20,40,60,-30) and 
sine (30,. 16,0,0) stress test runs respectively. 

During the stress tests if the absolute range of the pairwise comparisons of all 
exceeded the limit specified, the N- VERSION CONTROLLER logs the system state for 
the next two hundred test cases inclusive of the failure causing case. The control law 
implementations are then scrutinized for the presence of a software fault and the impact 
of that fault on the system performance is analyzed. 


PLOT 5. SQUARE WAVE RESULTS 

(Signal t NoiseySignal for 25 % Additive Input Noise 

i 

Vi 


■l 3 \ 


50 .00 

Time Step t 


(Signal 4* NoiseySignal for 10% Additive Input Noise 
r:. 


•a : 


50 :x 

Time Step t 


200 


200 
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PLOT 6. SINE WAVE RESULTS 

(Signal + NoiseySignal for 25% Additive Input Noise 



(Signal + NoiseySignal for 10% Additive Input Noise 
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50 100 
Time Step t 
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TABLE 2. STRESS TEST RUNS OF LENGTH 1,000,000 INPUT CASES 


Run R](n) r^n) 


Comments 


ssq 1 

N(0.0,0.0) 

0.0 

0.0 

N(0.0,0.0) 

0.0 

0.0 



ssq 2 

i 

j N(3. 0,1.0) 

| 

1 

! 20 

4.0 


ssq 3 

N(0.0,0.0) 

i 

0.0 

0.0 


ssq 4 
i ■■ ; 

N(3. 0,1.0) 

2.0 

4.0 


4.0 | 107c input & output noise 


257c input & output noise 


07c input nase output nose 


ssn 1 i N(0.0,0.0) 0.0 0.0 N(0.0.0.0) 


j ssn 2 I N(3.0 t 1.0) \ 2.0 4.0 N(0.0,0.0) 0.0 j 0.0 j 107c input noise 


I | 

3 N(O.O.O.O) | 0.0 J 0.0 N(3. 0,1.0) 2.0 j 4.0 I 107c output noise 

! I I 


ssn 4 | N(3.0,1.0) 2.0 4.0 N(3. 0,1.0) 2.0 4.0 | 10% input & output nase 

I 


257c input nase 
























































































Table 3 shows the maximum range in the elevator deflection angles computed by 
each implementation of the control law software for the various stress test runs. 
Although the actual values of the elevator deflections varied among the independent 
implementations they remained in a range of 2.5, as shown in Table 3, which was speci- 
fied as an acceptable performance parameter during the system t unin g runs. The range 
specification is somewhat arbitrary in that a tight bound on the range increases the rate 
with which we observe false alarms, and a lenient bound increases the probability of 
non-detection. 


TABLE 3. 

APPLICATION TASK ELEVATOR 
COMMAND DIFFERENCES AND PITCH RANGE 


RUN ID 

MAX DIFFERENCE 

PITCH RANGE 

ssq 1 

0.6 

[-31.734.3] 

ssq 2 

0.6 

[-31.737.2] 

ssq 3 

0.6 

[-35.034.8] 

ssq 4 

0.6 

[-34.7,40.4] 

ssq 5 

0.7 

[-34.0,48.8] 

ssq 6 

0.5 

[-45.1,44.1] 

ssq 7 

0.6 

[-39.935.7] 

ssn 1 

0.7 

[-32.134.2] 

ssn 2 

0.7 

[-33.639.6] 

ssn 3 

0.7 

[-36.436.6] 

ssn 4 

0.8 

[-37.4,43.0] 

ssn 5 

1.3 

[-39.2,56.2] 

ssn 6 

1.3 

[-49.5,48.8] 

ssn 7 

2.0 

[-51.7,66.11 


3.4. Case Analysis Results 

Since we were uncertain if the range in elevator deflection commands were a func- 
tion of mismodeling or if a software error was occurring, (This appears to be a common 
problem with performance testing of process control software.)^ we investigated the 
elevator deflections for 1000 time steps by executing the NVS system using the ssql run 
parameters, setting the permissible range of the elevator deflection commands computed 
by the three implementations for each time step ( i.e., A8 1 ^ IN (n) ) to 0, and analyzing the 
test case when non-zero ranges occurred. The analysis identified four faults in an imple- 
mentation of the control law, as shown in Table 4. The fault made in computing the 
derivative term in Modes 4 and 7 was corrected. A re-execution of the ssql r un resulted 
in numerical agreement (to the least significant bit) of the elevator deflection command 
output from the control laws. 
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TABLE 4. DESCRIPTION OF SOFTWARE FAULTS 
PRESENT IN AT3 


Modes 

Correct 

Term 

Effected 

Term 

Used 

4,7 

0c(n)-e A (n) 

t(n)-t(n-l) 

®c(n)-e A (n) 

5,8 

6c(n)-0 A (n) 

6c(n) - 6c(n- 1) “ 6 A (n) “ 0 A (n~ 1) 

t(n)-t(n— 1) 

t(n)-t(n-l) 

3,6,9 

0c(n)-<j A (n) 

0c(n)-6 A (n) 

t(n)-t(n-l) 

6,9 

0c(n)-9 A (n) 

9c(n) “ 9 A (n) “ 0cO- 1) + 0 A (n- 1) 

t( n )-t(n-l) 

t(n)-t(n-l) 


where 

n 

t(n) 

6c(n) 

e A (n) 

®c( n ) 

0aO) 

AT3 


is the time step index 

is the clock time at step n 

is the pitch command at step n 

is the actual pitch of the aircraft at step n 

is the change in pitch command, i.e. (0c(n) — ©c(n— 1)) 

is the change in actual pitch, i.e. (0 A (n)-0 A (n-l)) 

is the third implementation of the control law 



4. CONCLUDING REMARKS 

N-version testing of three implementations of a PA28 pitch axis control law with 
over 14 million pitch commands (about 78,000 flight hours) having varying levels of 
additive input and feedback noise surfaced only four software faults in an implementa- 
tion, thus precluding the analysis of software error bursts. This small number of 
detected faults may be due to the overly simple example chosen for the control law 
software and the programmers’ ability to exploit this simplicity in validating it. As 
software components of the flight control systems increase in functionality and complex- 
ity, the full implication of software errors remains to be seen. 


4 
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Appendix A. Pitch Axis Control Law Specification 


1. BACKGROUND 

a. Aircraft Control Surfaces And Axes Of An Aircraft In Flight 

Aircraft control surfaces are divided into two groups; primary and secondary. The 
primary control surfaces are the ailerons which are located at the trailing edge of the 
wings, the elevators which are located at the rear portion of the horizontal tail assembly 
(in some aircraft the entire horizontal tail is movable), and the ruder which is the rear 
portion of the vertical tail assembly. The secondary control surfaces are the trim tabs, 
balance tabs, and servo tabs. They are used to reduce the force required to activate the 
primary control surfaces, and for trimming and balancing the airplane in flight. These 
tabs are in actuality small airfoils attached to,; or recessed into the trailing edge of the 
primary control surfaces. 

There are three axes about which an aircraft rotates about whenever it changes its 
altitude with respect to the earth, or inertial, or moving axis coordinate system. These 
axes are the longitudinal, lateral, and vertical axes. Roll is motion about the longitudi- 
nal axis. This motion is controlled by the ailerons. Pitch is motion about the lateral 
axis. This motion is controlled by the elevators. Yaw is motion about the vertical axis. 
Yaw is controlled by the rudder. 
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The above diagram illustrates the axes of an aircraft in flight. The set of rectangu- 
lar axes is oxyz where o is the center of gravity of the aircraft. 

Ox is the longitudinal axis 
Oy is the lateral axis 
Oz is the vertical axis 

U, V, W are the velocity components of the center of gravity along Ox, Oy, and Oz 
respectively. 

P, q,_r are the components of angular velocity of the axis frame Oxyz about Ox,Oy, 
andOz respectively. Hence, p is the aircraft’s angular velocity in roll, q is the 
aircraft’s angular velocity in pitch, and r is the aircraft’s angular velocity in yaw. 

b. Flight Dynamics 
1. Eqns. of Motion 

Flight dynamics deals with the motion of an aircraft under the influence of forces. 
These forces are of six types. 

(i) Inertia forces, arising from the mass distribution and linear and angular 
acceleration of the aircraft. 

(ii) Aerodynamic forces and moments, depending on angular velocities of the air- 
craft (sometimes called rotary forces and moments). 

(iii) Aerodynamic forces and moments depending on the linear velocities of the air- 
craft (sometimes called static forces and moments, since they depend on the alti- 
tude of the aircraft relative to the airstream and not on its angular velocities). 

(iv) Aerodynamic forces and moments due to the application of controls (usually 
only the forces and moments due to control deflection are of importance; these are 
sometimes called static forces and moments due to controls). 

(v) Gravitational forces, and 

(vi) Propulsive forces. 

The equations of motion of an aircraft can be completely determined by considering 
these forces. These equations constitute a set of non-linear differential equations, which 
are separated with respect to the lateral and longitudinal axes ana linearized. These 
equations can be found in texts on aircraft aerodynamics. 
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2. STABILITY 

A dynamical system is said to be stable or possess stability, if, when slightly dis- 
turbed from a state of equilibrium or steady motion, it tends to return and remain in 
that state, the disturbance acting for only a finite time. In general, an aircraft must be 
both statically and dynamically stable. An aircraft has static stability if, immediately 
on being disturbed, it has a tendency to return to equilibrium conditions. An aircraft 
has dynamic stability if its motion subsequent to the initial disturbance is characterized 
by its decreasing amplitude as equilibrium is restored. Static stability is prerequisite to 
dynamic stability. The design of an aircraft must make it both statically and dynami- 
cally stable with respect to the three axes. Because symmetry keeps translation and 
rotation in the vertical plane from producing forces in the other planes, longitudinal and 
lateral-directional stability are considered separately. 

To illustrate, assume that we are interested in the stability in pitch for three air- 
crafts. Stability in pitch represents longitudinal stability, i.e., stability about the air- 
planes’ lateral axis. 



NOTES: Airplane A is unstable and continually diverges. 

Airplane B is both statically and dynamically stable, but the return to equili- 
brium takes too long. 

Airplane C is acceptable because it returns to equilibrium in a relatively short 
time. 
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c. Artificial Stability and Automatic Control 

The stability and response characteristics of an aircraft without automatic control, 
at a given speed and altitude, are determined completely by the design and distribution 
of mass of the aircraft. There exists, however, various mechanisms to optimize the 
aircraft’s stability without changing the aircraft design. One way is by shifting the 
mass distribution, or center of gravity during various stages of flight (e.g., shifting from 
subsonic to supersonic speeds). Another way is by automatic control of the control sur- 
faces in a manner which compensates for one or more components of the flight distur- 
bance. The goal for both these methods is to artificially improve the stability and 
response of the aircraft. 

The automatic control systems utilized may be an open-loop systems in which 
input data, say 0; are fed into a servo-system which produces an output 0 O . 0j could 
be a signal from a gyroscope or an accelerometer. The output 0 O might represent an 
elevator deflection. The automatic control system may be a closed-loop system or a sys- 
tem with feedback control. Closed-loop systems are applied in cases where the output 
of the open-loop system depends upon the deviation of the aircraft from the datum 
state. The essential requirement of a closed-loop system is that the error between the 
desired state and the existing state is constantly monitored. 

This describes the detailed computer program specifications for the Pitch Axis Con- 
trol Problem. It is anticipated that you will code at least three successive control stra- 
tegies of increasing complexity. In order, these are: 


STRATEGY 

FORM 

(1) Proportional: 

Y=a <) 4- a,x 

(2) Proportional-Derivative: 

Y=afl -f ajX -1- ao dx/dt 

(3) Proportional-Integral-Derivative: 

t 

Y=a 0 4- a,x 4- iu dx/dt 4- a 3 /x dt 


o 


where Y and the integral are to be computed, and the terms in x and the a,- are 
inputs. Specifications generally pertinent to all 3 control strategies and details of the 
first are contained herein; details for strategies 2 and 3 will be forthcoming. The over- 
head (parameter lists, common blocks, clock calls, initialization, etc.,) developed in the 
coding of strategy 1 will be directly applicable to strategies 2 and 3. Therefore, 
appropriate editing techniques should expedite development of 2 and 3. 
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3. SPECIFICATIONS 


Language: 

Variables: 

Module: 

I/O: 

Files: 

Acceptance: 
Data Validity: 


FORTRAN 

Standard FORTRAN Rcal*4 and Integer*4 for variables passed via 
common. Variables may be named as desired. 

A subroutine named PROB2 with no parameter list (as in PROBl, 
Launch Interceptor Problem). 

Variables will be passed through labeled common blocks; PROB2 will 
generate no read/write operations except as necessary during develop- 
ment. There should be no I/O operations in the delivered module. 

The source code for PROB2 and any supporting subprograms should 
be in a file named prob2.for; any other subprograms or main “driving” 
programs not delivered should be maintained on separate files. 

There will be no formal acceptance test as there was in the Launch 
Interceptor Problem; you may generate your own test data as you 
desire. 

Assume all input data are valid; no validity tests are necessary. 
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INPUTS: COMMON/INPUTS/ 


POSITION NAME TYPE COMMENTS 


1 

Initialize 

1*4 

IF = 1, zero-out all output 
variables and return. 

2 

Mode 

1*4 

IF = 0, automatic control is not in 
effect; return without computing; 
otherwise, determines the control 
strategy and the measurement 
variable. 

3 

t(n) 

1*4 

The current value of dimensionless 
time. 

4 

©c(n) 

R*4 

Desired value of pitch at current 
time-step, n. 

5 

©A(n) 

R*4 

Actual pitch of aircraft at current 
time-step, n. 

6 

©c(n) 

R*4 

Desired pitch rate at current time- 
step, n. 

7 


R*4 

Actual pitch rate of aircraft at 
current time-step, n. 

8 

a i 

R*4 

Coefficients; i = 1,2,. ..,5 

OUTPUTS: 

COMMON/OUTPUT/ 




1 

<5(n) 

R*4 

Elevator deflection angle, computed. 

2 

£(n) 

R*4 

Error in measurement quantity (as 
determined by mode). 

3 

AG^At 

R*4 

Pitch rate, computed. 
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Saved variables: COMMON/SAVED/ 

Note: The saved variable name should differ from the I/O variable name. 


POSITION 

NAME 

TYPE 

COMMENTS 

I 

©e(n) 

R*4 

Current © c ; to become 

0 c (n-l) upon next entry of subroutine. 

2 

6{n) 

R*4 

Current computed elevator deflection; to 
become 5(n-l) upon next entry of subroutine. 

3 

©a( q ) 

R*4 

Current © A ; to become © A (n-1) 
upon next entry of subroutine. 

4 

t( n ) 

I*4‘ 

Current value of dimensionless time; to become 
t(n-l) upon next entry of subroutine. 

5 

*e(n) 

R*4 

Current error in ©; to become 
€q(q— 1) upon next entry of 
subroutine. 

6 

c e( Q ) 

R*4 

Current error in © ; to become 
e^fn-l) upon next entry of 
subroutine. 

7 

e c (n) 

R*4 

Current © c ; to become © c (n-l) 
upon next entry of subroutine. 

8 

©a(“) 

R*4 

Current © A ; to become © A (n-1) 
upon next entry of subroutine. 

9 


R*4 

Cumulative sum of feAt since 
t = 0. 

10 

E ‘e 

R*4 

Cumulative sum of fgAt since 
t = 0. 

The type specification for 

t(n) was 

omitted from the specification provided to the pro- 


grammers. 


24 



4. ALGORITHMS 

In any of the forms, the quantity x represents the measured error, e , in the quan- 
tity being controlled which can be either pitch, 0 , or pitch rate, © = d0/dt. The 
quantity y is the output from the controller and represents the aircraft elevator 
deflection 6. 

The controller will compute x, the measured error. Whether it computes x(0) or 
x(0) will depend on the value of MODE. In addition, whether 0 is furnished as an 
input or is to be computed as (0(n) - 0(n-l)/At) by the controller, will also be deter- 
mined by MODE. 

Table 1 shows the control strategy and measured error relationship as governed by 
values of MODE. 


Table A - Control Law Mode 

Strategy 

Error Term 


0 C - e A 


AO c AO a 

A, • A, 

P: Proportional 

1 

2 

3 

PD: Proportional/Derivative 

4 

5 

6 

PID: Proportional/Integral/Derivative 

7 

8 

9 


TABLE 1: Control Strategy to be employed and Measured Error to be Computed for 

Different Values of MODE 

THE FOLLOWING STEPS SHOULD BE CODED: 

Strategy 1, Proportional, y = a 0 -f ajX 

1. Test Initialize (see INPUTS comments) 

2. Test Mode 

3. COMPUTE X per mode. If MODE=3, use values saved (in common block) from 
previous call of your module. 

4. COMPUTE Y using inputs a 0 and a t 

5. RETURN 

Strategy 2, Derivative, y = a^ + a t x + a^dx/dt 
(Same steps as for Strategy 1) 

t 

Strategy 3, Integral, y = a 0 -f a t x + a^dx/dt 4- a 3 /xdt 

o 

(The same steps should be used as for 1 and 2, but in addition provision should be 
made for initialization and computation of the integral as a cumulative sum.) 
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Appendix B. Results of Stress Test Runs 



STRESS TEST RUN SSQ1 


TOTAL CASES EXECUTED 

TEST CASE GENERATION 

Pitch Command Waveform 

Pitch Command Noise 

Distribution N(0.0,0.0) 

Truncation Points [0.0, 0.0] 

Seed 1234567808 


1,000,000 

SQ(20 ,40,20 ,40 ,60,-30) 

Pitch Response Noise 

Distribution N(0.0,0.0) 

Truncation Points [0.0, 0.0] 

Seed 9876542464 


CONTROL LAW PARAMETERS 

ao = .000 a 1 - .167 a 2 = .021 a 3 = .042 

AIRCRAFT RESPONSE MODEL PARAMETERS 
a x = 17.5 a 2 = 39.4 a 3 = 17.0 

p x = 1.02 p 2 = 7.01 p 3 = 18.70 p 4 = 8.60 p 5 = 2.84 


SYSTEM PERFORMANCE REQUIREMENTS 


Requirement 

Enabled 

Extreme Values 


No 

[-6.2,11.9] 


No 

[-6.8, 9.3] 


No 

[-30.8,49.2] 

0A 

No 

[-31.7,34.3] 

|Ee F | 

No 

63.0 

|He N | 

No 

121.0 

INEQUALITY CONSTRAINTS 


Requirement 

Enabled 

Extreme Values 

|A»H 

Yes 

0.6 

iA«n 

No 

7.0 

lAS.^I 

No 

3.1 

IA8PI 

No 

5.0 
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STRESS TEST RUN SSQ2 


TOTAL CASES EXECUTED 

TEST CASE GENERATION 

Pitch Command Waveform 

Pitch Command Noise 

Distribution N(3. 0,1.0) 

Truncation Points [2.0, 4.0] 

Seed 1234567808 


1,000,000 

SQ(20,40,20,40,60,-30) 

Pitch Response Noise 

Distribution N(0.0,0.0) 

Truncation Points [0.0, 0.0] 

Seed 9876542464 


CONTROL LAW PARAMETERS 

a 0 = .000 a 1 = .167 a 2 = .021 a 3 = .042 

AIRCRAFT RESPONSE MODEL PARAMETERS 
otj = 17.5 a 2 = 39.4 a 3 = 17.0 

Pi = 1.02 p 2 = 7.01 p 3 = 18.70 p 4 = 8.60 p 5 = 2.84 

SYSTEM PERFORMANCE REQUIREMENTS 


Requirement 

Enabled 

Extreme Values 


No 

[-6.6,11.8] 

»E 

No 

[-7.4, 9.7] 

0A 

No 

[-31.5,51.0] 

® A 

No 

[-31.7,37.2] 

|E« F | 

No 

67.0 

|Efl 

No 

138.0 

INEQUALITY CONSTRAINTS 


Requirement 

Enabled 

Extreme Values 

£=■ 

<o 

Yes 

0.6 

lisP'l 

No 

8.0 

|A»P T | 

No 

3.2 

las^l 

No 

5.1 
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STRESS TEST RUN SSQ3 


TOTAL CASES EXECUTED 

TEST CASE GENERATION 

Pitch Command Waveform 

Pitch Command Noise 

Distribution N(0.0,0.0) 

Truncation Points [0.0, 0.0] 

Seed 1234567808 


1 , 000,000 

SQ(20,40,20,40,60,-30) 

Pitch Response Noise 

Distribution N(3.0,1.0) 

Truncation Points [2.0, 4.0] 

Seed 9876542464 


CONTROL LAW PARAMETERS 

ao = .000 a l = .167 a 2 = .021 A 3 = .042 

AIRCRAFT RESPONSE MODEL PARAMETERS 
a x = 17.5 a 2 = 39.4 a 3 = 17.0 

3 X = 1.02 p 2 = 7 - 01 P3 " 18.70 3 4 = 8.60 p 5 = 2.84 


SYSTEM PERFORMANCE REQUIREMENTS 


Requirement 

Enabled 

Extreme Values 


No 

[-7.4,11.2] 


No 

[-8.4, 7.9] 

0A 

No 

[-34.7,47.4] 

®A 

No 

[-35.0,34.8] 

|Ee F | 

No 

57.0 

|E« N | 

No 

113.0 

INEQUALITY CONSTRAINTS 


Requirement 

Enabled 

Extreme Values 

|a»!H 

Yes 

0.6 

|A6 i NM | 

No 

8.0 

|AS( NT | 

No 

3.1 

148^1 

No 

4.3 
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STRESS TEST RUN SSQ4 


TOTAL CASES EXECUTED 

TEST CASE GENERATION 

Pitch Command Waveform 

Pitch Command Noise 

Distribution N(3.0,1.0) 

Truncation Points [2.0, 4.0] 

Seed 1234567808 


1 , 000,000 

SQ(20,40,20,40,60,-30) 

Pitch Response Noise 

Distribution N(3.0,1.0) 

Truncation Points [2.0, 4.0] 

Seed 9876542464 


CONTROL LAW PARAMETERS 

a^ = .000 a! = .167 a 2 = .021 a 3 = .042 

AIRCRAFT RESPONSE MODEL PARAMETERS 


a x = 17.5 

Pi = 1.02 

a-> 

P2 

= 39.4 
» 7.01 

a 3 = 17.0 
p 3 = 18.70 p 4 

SYSTEM PERFORMANCE REQUIREMENTS 

Requirement Enabled Extreme Values 

8 E 


No 

[-8.2,11.4] 

to 


No 

[-9.4, 9 .5] 

0A 


No 

[-34.4,49.3] 

®A 


No 

[-34.7,40.4] 

|Ee F | 


No 

61.0 

|Ee N | 


No 

129.0 


INEQUALITY CONSTRAINTS 


Requirement 

IAS.fl 

lASf) 

|A8f| 

|A8f| 


Enabled 

Extreme Values 

Yes 

0.6 

No 

7.5 

No 

3.1 

No 

5.3 
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STRESS TEST RUN SSQ5 


TOTAL CASES EXECUTED 

TEST CASE GENERATION 

Pitch Command Waveform 

Pitch Command Noise 

Distribution N(7.5,2.5) 

Truncation Points [5.0,10.0] 

Seed 1234567808 


1,000,000 

SQ(20 ,40 ,20 ,40,60 ,-30) 

Pitch Response Noise 

Distribution N(0.0,0.0) 

Truncation Points [0.0, 0.0] 

Seed 9876542464 


CONTROL LAW PARAMETERS 

ao = .000 a : - .167 a 2 = .021 a 3 = .042 

AIRCRAFT RESPONSE MODEL PARAMETERS 
«! = 17.5 a 2 = 39.4 a 3 = 17.0 

Pi = 1.02 p 2 = 7.01 p 3 = 18.70 p 4 = 8.60 0 5 = 2.84 


SYSTEM PERFORMANCE REQUIREMENTS 

Requirement Enabled Extreme Values 


Se F 

No 

[-8.5,12.3] 

8 ? 

No 

[-10.9,13.4] 


No 

[-32.3,53.7] 

®A 

No 

[-34.0,48.8] 

|Ee F | 

No 

77.0 

|Ee N | 

No 

163.0 

INEQUALITY CONSTRAINTS 


Requirement 

Enabled 

Extreme Values 

|A*f| 

Yes 

0.7 

|46P<| 

No 

9.5 

|A6,^I 

No 

3.3 

lAS^I 

No 

6.6 
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STRESS TEST RUN SSQ6 


TOTAL CASES EXECUTED 1,000,000 

TEST CASE GENERATION 

Pitch Command Waveform SQ(20,40,20,40,60,-30) 


Pitch Command Noise 


Pitch Response Noise 


Distribution N(0.0,0.0) 

Truncation Points [0.0, 0.0] 

Seed 1234567808 


Distribution N(7.5,2.5) 

Truncation Points N[5.0,10.0] 

Seed 9876542464 


CONTROL LAW PARAMETERS 

ao = .000 aj = .167 a 2 = .021 a 3 = .042 

AIRCRAFT RESPONSE MODEL PARAMETERS 

= 17.5 a 2 = 39.4 a 3 = 17.0 

01 = 1.02 pj = 7.01 p 3 = 18.70 p 4 = 8.60 p 5 = 2.84 


SYSTEM PERFORMANCE REQUIREMENTS 

Requirement Enabled Extreme Values 


5f 

No 

[-11.0,10.5] 

5 E N 

No 

[-14.0,11.2] 


No 

[-41.9,44.8] 

®A 

No 

[-45.1,44.1] 

|Ee F | 

No 

51.0 

|Ee N | 

No 

102.0 

INEQUALITY CONSTRAINTS 


Requircment 

Enabled 

Extreme Values 

|A5^'| 

Yes 

0.5 

lAS^I 

No 

9.5 

|A5, nt | 

No 

4.8 

lAS^I 

No 

10.5 
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STRESS TEST RUN SSQ7 


TOTAL CASES EXECUTED 1,000,000 

TEST CASE GENERATION 

Pitch Command Waveform SQ(20,40,20,40,60,-30) 

Pitch Command NoLse Pitch Response Noise 

Distribution N(7.5,2.5) Distribution N(7.5,2.5) 

Truncation Points [5.0,10.0] Truncation Points [5.0,10.0] 

Seed 1234567808 Seed 9876542464 

CONTROL LAW PARAMETERS 

ag = .000 aj = .167 a 2 — .021 a 3 = .042 

AIRCRAFT RESPONSE MODEL PARAMETERS 
aj = 17.5 a 2 = 39.4 a 3 = 17.0 

0! = 1.02 0 2 = 7.01 pj = 18.70 0 4 = 8.60 0 5 = 2.84 

SYSTEM PERFORMANCE REQUIREMENTS 


Requirement 

Enabled 

Extreme Values 

*f 

No 

[-11.9,12.0] 


No 

[-15.4,16.1] 

0A 

No 

[-39.1,54.6] 


No 

[-39.945.7] 

|Ee F | 

No 

70.0 

|He N | 

No 

140.0 

INEQUALITY CONSTRAINTS 


Requirement 

Enabled 

Extreme Values 

lASf'l 

Yes 

0.6 

lAS^ 1 ] 

No 

8.0 

|A5 ; NT | 

No 

5.3 

|A6£ T | 

No 

11.9 
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STRESS TEST RUN SSN1 


TOTAL CASES EXECUTED 1,000,000 

TEST CASE GENERATION 

Pitch Command Waveform SINE (30,. 16,0,0) 

Pitch Command Noise Pitch Response Noise 

Distribution N(0.0,0.0) Distribution N(0.0,0.0) 

Truncation Points [0.0, 0.0] Truncation Points [0.0, 0.0] 

Seed 1234567808 Seed 9876542464 

CONTROL LAW PARAMETERS 

a^ = .000 a 1 = .167 a 2 = .042 a 3 = .084 

AIRCRAFT RESPONSE MODEL PARAMETERS 
a : = 17.5 a 2 = 39.4 a 3 = 17.0 

p 2 = 1.02 p 2 = 7.01 p 3 - 18.70 p 4 = 8.60 p 5 = 2.84 

SYSTEM PERFORMANCE REQUIREMENTS 


Requirement 

Enabled 

Extreme Values 


No 

[-4.7, 8.8] 


No 

[-6.9,8. 1] 


No 

[-29.5,36.8] 

®A 

No 

[-32.1,34.2] 

|Ee F | 

No 

47.0 

|Ee N '| 

No 

54.0 

INEQUALITY CONSTRAINTS 


Requirement 

Enabled 

Extreme Values 

|AS ; f| 

Yes 

0.7 

|A5^| 

No 

1.1 

|ASi NT | 

No 

1.3 

|A5^| 

No , 

2.7 
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STRESS TEST RUN SSN2 


TOTAL CASES EXECUTED 

TEST CASE GENERATION 

Pitch Command Waveform 

Pitch Command Noise 

Distribution N(3. 0,1.0) 

Truncation Points [2.0, 4.0] 

Seed 1234567808 

CONTROL LAW PARAMETERS 
3 ^ = .000 ~ .167 


1 , 000,000 

SINE (30,. 16,0) 

Pitch Response Noise 

Distribution N(0.0,0.0) 

Truncation Points [0. 0,0.0] 

Seed 9876542464 

a 2 = .042 a 3 = .084 


AIRCRAFT RESPONSE MODEL PARAMETERS 


a x = 17.5 
0! = 1.02 

a 2 

pj 

= 39.4 
= 7.01 

a 3 = 17.0 
P 3 = 18.70 0 4 

SYSTEM PERFORMANCE REQUIREMENTS 

Requirement Enabled Extreme Values 

*1 


No 

[-5.8, 8.7] 

s£ 


No 

[-8.8, 9.8] 

ftp 

0 A 


• No 

[-30.0,38.6] 

0 A 


No 

[-33.6,39.6] 

|Ee F | 


No 

54.0 

|Ee N l 


No 

64.0 


INEQUALITY CONSTRAINTS 


Requirement 

|A5 ; f| 

|A5P| 

|A5i Nir | 

|A8£ t | 


Enabled Extreme Values 
Yes 0.7 

No 1.4 

No 1.9 

No 


4.5 



STRESS TEST RUN SSN3 


TOTAL CASES EXECUTED 

TEST CASE GENERATION 

Pitch Command Waveform 

Pitch Command Noise 

Distribution N(0.0,0.0) 

Truncation Points [0.0, 0.0] 

Seed 1234567808 

CONTROL LAW PARAMETERS 
a 0 = .000 a t = .167 


1,000,000 

SINE (30,. 16,0,0) 

Pitch Response Noise 

Distribution N(3.0,1.0) 

Truncation Points [2.0, 4.0] 

Seed 9876542464 

a 2 = .042 a 3 = .084 


AIRCRAFT RESPONSE MODEL PARAMETERS 
a x = 17.5 a 2 = 39.4 a 3 = 17.0 

3i = 1.02 pj = 7.01 = 18.70 p 4 = 8.60 3 5 = 2.84 


SYSTEM PERFORMANCE REQUIREMENTS 

Requirement Enabled Extreme Values 



No 

[-6.8, 8.2] 

fcuj 

to 

No 

[-9.8, 8.3] 

el 

No 

[-33.5,35.0] 

e£ 

No 

[-36.4,36.6] 

|E e F | 

No 

44.0 

\m 

No 

51.0 

INEQUALITY CONSTRAINTS 


Requirement 

Enabled 

Extreme Values 

|ASf*| 

Yes 

0.7 

lASP'l 

No 

1.3 

lAS^I 

No 

2.5 

|A*Pl 

No 

5.7 
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STRESS TEST RUN SSN4 


TOTAL CASES EXECUTED 

TEST CASE GENERATION 

Pitch Command Waveform 

Pitch Command Noise 

Distribution N(3.0,1.0) 

Truncation Points [2. 0,4.0] 

Seed 1234567808 


1,000,000 

SINE (30,. 16,0,0) 

Pitch Response Noise 

Distribution N(3.0,1.0) 

Truncation Points [2.0, 4.0] 

Seed 9876542464 


CONTROL LAW PARAMETERS 

aQ = .000 aj — .167 a 2 — .042 a 3 = .084 

AIRCRAFT RESPONSE MODEL PARAMETERS 
= 17.5 a n = 39.4 a 3 = 17.0 

= 1.02 p 2 = 7 - 01 03 " 18.70 04 = 8.60 0 5 = 2.84 


SYSTEM PERFORMANCE REQUIREMENTS 

Requirement Enabled Extreme Values 


5e 

No 

[-7. 1,8.1] 


No 

[-11.3,11.4] 


No 

[-32.338.4] 


No 

[-37.4,43.0] 

|Ee F | 

No 

52 

|Ee N | 

No 

61 

INEQUALITY CONSTRAINTS 


Requirement 

Enabled 

Extreme Values 

lASjfl 

Yes 

0.8 

lAS^I 

No 

1.5 

lAS^I 

No 

3.1 

|A5£ T | 

No 

7.0 
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STRESS TEST RUN SSN5 


TOTAL CASES EXECUTED 

TEST CASE GENERATION 

Pitch Command Waveform 

Pitch Command Noise 

Distribution N(7.5,2.5) 

Truncation Points [5.0,10.0] 

Seed 1234567808 

CONTROL LAW PARAMETERS 
ao = .000 aj = .167 


1,000,000 


SINE (30,. 16,0,0) 

Pitch Response NoLse 

Distribution N(0. 0,0.0) 

Truncation Points [0.0, 0.0] 

Seed 9876542464 


a 2 = .042 a 3 = .084 


AIRCRAFT RESPONSE MODEL PARAMETERS 
04 = 17.5 <x 2 = 39.4 a 3 = 17.0 

Pi = 1.02 pj = 7.01 p 3 = 18.70 p 4 = 8.60 p 5 = 2.84 


SYSTEM PERFORMANCE REQUIREMENTS 

Requirement Enabled Extreme Values 


*e F 

No 

[-7.7,10.1] 


No 

[-14.6,17.7] 


No 

[-31.2,45.0] 


No 

[-39.2,56.2] 

|Ee F | 

No 

68 

|Ee N | 

No 

84 

INEQUALITY CONSTRAINTS 


Requirement 

Enabled 

Extreme Values 

|A#H 

Yes 

1.3 


No 

2.2 

lAS^I 

No 

4.1 

|AS^| . 

No 

9.9 
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STRESS TEST RUN SSN6 


TOTAL CASES EXECUTED 

TEST CASE GENERATION 

Pitch Command Waveform 

Pitch Command Noise 

N(0.0,0.0) 

[ 0 . 0 , 0 . 0 ] 

1234567808 

CONTROL LAW PARAMETERS 

a 0 = .000 a L = .167 a 2 = .042 a 3 = .084 

AIRCRAFT RESPONSE MODEL PARAMETERS 
aj = 17.5 a o = 39.4 a 3 = 17.0 

0! = 1.02 02 = 7.01 0 3 = 18.70 0 4 = 8.60 0 5 = 2.84 

SYSTEM PERFORMANCE REQUIREMENTS 


Requirement 

Enabled ' 

Extreme Values 

8f 

No 

[-10.2,8.1] 

»E 

No 

[-18.0,14.4] 


No 

[-40.1,40.7] 


No 

[-49.5,48.8] 

|Ee F | 

No 

18.5 

|Ee N l 

No 

29.5 

INEQUALITY CONSTRAINTS 


Requirement 

Enabled 

Extreme Values 

HM.fl 

Yes 

1.3 


No 

2.1 

HMfl 

No 

6,0 

|A5^ T | 

No 

14.2 


Distribution 
Truncation Points 
Seed 


1,000,000 

SINE (30,. 16,0,0) 

Pitch Response Noise 

Distribution N(7.5,2.5) 

Truncation Points [5.0,10.0] 

Seed 9876542464 
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STRESS TEST RUN SSN7 


TOTAL CASES EXECUTED 

TEST CASE GENERATION 

Pitch Command Waveform 

Pitch Command Noise 

Distribution N(7.5,2.5) 

Truncation Points [5.0,10.0] 

Seed 1234567808 

CONTROL LAW PARAMETERS 
ao = .000 a 2 = .167 


1,000,000 

SINE (30,. 16,0,0) 

Pitch Response Noise 

Distribution N(7.5,2.5) 

Truncation Points [5.0,10.0] 

Seed 9876542464 

a 2 = .042 a 3 = .084 


AIRCRAFT RESPONSE MODEL PARAMETERS 
a : = 17.5 a 2 = 39.4 a 3 = 17.0 

Pi = 1.02 0 2 = 7.01 0 3 = 18.70 0 4 - 8.60 0 5 = 2.84 

SYSTEM PERFORMANCE REQUIREMENTS 

Requirement Enabled Extreme Values 


*1 

No 

[-11.0,11.2] 

5 E N 

No 

[-22.3,21:9] 

©A 

No 

[-37. 1 ,52.2] 

©£ 

No 

[-51.7,66.1] 

|Ee F | 

No 

63 

|E* N | 

No 

77 

INEQUALITY CONSTRAINTS 


Requirement 

Enabled 

Extreme Values 

|a»h 

Yes 

2.0 


No 

2.5 

|AS,Nf| 

No 

7.7 

|45^| 

No 

17.4 
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